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Abstract 

The Timed Concurrent Constraint Language {tccp in short) is a concurrent logic language 
based on the simple but powerful concurrent constraint paradigm of Saraswat. In this 
paradigm, the notion of store-as-value is replaced by the notion of store-as-constraint, 
which introduces some differences w.r.t. other approaches to concurrency. 

In this paper, we provide a general framework for the debugging of tccp programs. To 
this end, we first present a new compact, bottom-up semantics for the language that is 
well suited for debugging and verification purposes in the context of reactive systems. 
We also provide an abstract semantics that allows us to effectively implement debugging 
algorithms based on abstract interpretation. 

Given a tccp program and a behavior specification, our debugging approach automati- 
cally detects whether the program satisfies the specification. This differs from other semi- 
automatic approaches to debugging and avoids the need to provide symptoms in advance. 
We show the efficacy of our approach by introducing two illustrative examples. We choose 
a specific abstract domain and show how we can detect that a program is erroneous. 

KEYWORDS: concurrent constraint paradigm, denotational semantics, abstract diagno- 
sis, abstract interpretation 



1 Introduction 

Finding program bugs is a long-standing problem in software construction. In the 
concurrent paradigms, the problem is even worse and the traditional tracing tech- 

* This work has been partially supported by the EU (FEDER), the Spanish MICINN under grant 
TIN2010-21062-C02-02 and by the Universitat Politecnica de Valencia under grant PAID-00-10. 
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niques are almost useless. There has been a lot of work on algorithmic debugging (?) 
for declarative languages, which could be a valid proposal for concurrent paradigms, 
but little effort has been done for the particular case of the concurrent constraint 
paradigm (ccp in short; (?)). The ccp paradigm is different from other programming 
paradigms mainly due to the notion of store-as-constraint that replaces the classical 
store-as-valuation model. In this way, the languages from this paradigm can easily 
deal with partial information: an underlying constraint system handles constraints 
on system variables. Within this family, (?) introduced the Timed Concurrent Con- 
straint Language {tccp in short) by adding to the original ccp model the notion of 
time and the ability to capture the absence of information. With these features, 
it is possible to specify behaviors typical of reactive systems such as timeouts or 
preemption actions, but they also make the language non-monotonic. 

In this paper, we develop an abstract diagnosis method for tccp using the ideas 
of the abstract diagnosis framework for logic programming (?). This framework, 
parametric w.r.t. an abstract program property, is based on the use of an abstract 
immediate consequence operator to identify bugs in logic programs. It can be con- 
sidered as an extension of algorithmic debugging since there are instances of the 
framework that deliver the same results. The intuition of the approach is that, 
given an abstract specification of the expected behavior of the program, one auto- 
matically detects the errors in the program. The framework does not require the 
determination of symptoms in advance. In order to achieve an effective method, 
abstract interpretation is used to approximate the semantics, thus results may be 
less precise than those obtained by using the concrete semantics. 

The approach of abstract diagnosis for logic programming has been applied to 
other paradigms (?; ?; ?). This research revealed that a key point for the efficacy 
of the resulting debugging methodology is the compactness of the concrete seman- 
tics. Thus, in this proposal, much effort has been devoted to the development of 
a compact concrete semantics for the tccp language to start with. The already ex- 
isting denotational semantics are based on capturing the input-output behavior of 
the system. However, since we are in a concurrent (reactive) context, we want to 
analyze and debug infinite computations. Our semantics covers this need and is suit- 
able to be used not only with debugging techniques but also with other verification 
approaches. 

Our new (concrete) compact compositional semantics is correct and fully abstract 
w.r.t. the small-step behavior of tccp. It is based on the evaluation of agents over 

a denotation for a set of process declarations D, obtained as least fixpoint of a 
(continuous, monotone) immediate consequence operator 

Thanks to the compactness of this semantics, we can formulate an efficacious 
debugging methodology based on abstract interpretation which proceeds by ap- 
proximating the VlDj operator producing an "abstract immediate consequence 
operator" We show that, given the abstract intended specification S" of 

the semantics of the declarations D, we can check the correctness of 2? by a single 
application of P^ID] and thus, by a static test, we can determine all the process 
declarations d € D which are wrong w.r.t. the considered abstract property. 

To our knowledge, in the literature there is only another approach to the debug- 
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ging problem of ccp languages, (?), which is also based on the abstract diagnosis 
approach of (?). However, they consider a quite different concurrent constraint 
language without non-monotonic features, which we consider essential to model 
behaviors of reactive systems. 

2 The Timed Concurrent Constraint language 

The tccp language is particularly suitable to specify both reactive and time critical 
systems. As the other languages of the ccp paradigm (?), it is parametric w.r.t. 
a cylindric constraint system. The constraint system handles the data information 
of the program in terms of constraints. In tccp, the computation progresses as the 
concurrent and asynchronous activity of several agents that can (monotonically) 
accumulate information in a store, or query some information from that store. 
Briefly, a cylindric constraint systerrj^ C ~ {C,<,®,(B,tt,ff , Var,J) is composed 
of a set of finite constraints C ordered by <, where ® and ® are the glh and lub, 
respectively, tt is the smallest constraint whereas ff is the largest one. We often 
use the inverse order h (called entailment) instead of ^ over constraints. Var is a 
denumerable set of variables and 3 existentially quantifies variables over constraints 
(the so called cylindric operator). 

Given a cylindric constraint system C and a set of process symbols 11, the syntax 
of agents is given by the following grammar: 

n 

A ::= skip | tell(c) | ^ask(ci) Ai \ now c then Ai else A2 | || | Ba: A | p{x) 

i=l 

where c and Ci are finite constraints in C, p G 11, a; G Var and af is a list of 
variables xi, . . . ,a;„ with 1 < i < n, .t^ G Var. A tccp program P is an object of 
the form -D.Aq, where Aq is an agent, called initial agent, and I? is a set of process 
declarations of the form p{x) :— A (for some agent A). 

The notion of time is introduced by defining a discrete and global clock: it is 
assumed that the ask and tell agents take one time-unit to be executed. For the op- 
erational semantics of the language, the reader can consult (?). Intuitively, the skip 
agent represents the successful termination of the agent computation. The tell(c) 
agent adds the constraint c to the current store and stops. It takes one time-unit, 
thus the constraint c is visible to other agents from the following time instant. The 
store is updated by means of the ® operator of the constraint system. The choice 
agent X]r=i ^^'^(ci) ^ consults the store and non-deterministically executes (at 
the following time instant) one of the agents Ai whose corresponding guard Ci holds 
in the current store; otherwise, if no guard is satisfied by the store, the agent sus- 
pends. The agent now c then ^ else B behaves in the current time instant like A 
(respectively B) if c is (respectively is not) satisfied by the store. The satisfaction is 
checked by using the h operator of the constraint system. Note that this agent can 
process negative information: it can capture when some information is not present 

^ See (?; ?) for more details on cylindric constraint systems. 
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in the store since the agent B is executed both when is satisfied, but also when 
neither c nor -ic are satisfied. ^ || S models the parallel composition of A and B in 
terms of maximal parallelism (in contrast to the interleaving approach of ccp), i.e., 
all the enabled agents of A and B are executed at the same time. The agent 3x A 
is used to make variable x local to A. To this end, it uses the 3 operator of the 
constraint system. Finally, the agent p{x) takes from D a declaration of the form 
p{x) :— A and executes A at the following time instant. For the sake of simplicity, 
we assume that the set D of declarations is closed w.r.t. parameter names. 



3 Modeling the small-step operational behavior of tccp 

In this section, we introduce a denotational semantics that models the small-step 
behavior of tccp. Due to space limitations, in this paper we show the concrete 
semantics and the most relevant aspects of the abstract one. The missing definitions, 
as well as the proofs of all the results, can be found in (?). 

Lcit us formalize the notion of behavior for a set D of procciss declarations. It 
collects all the small-step computations associated to D as the set of (all the prefixes 
of) the sequences of computational steps, for all possible initial agents and stores. 

Definition 1 [Small- step behavior of declarations) 

Let £) be a set of declarations. Agent the set of possible agents, and — > the transition 
relation given by the operational semantics in (?). The small-step behavior of D is 
defined as follows: 

B-pl := y BlD.Aj, 

\/ceCyAeAgent 

where BlD.Aj^ := {c • ci c„ | {A,c) (Ai,ci) ^ . . . -> (A„,c„)} U {e}. 

We denote by the equivalence relation between declarations induced by B**, 
namely ^ B^^pil = S^^psl- 

The pair (Aj, Cj) denotes a configuration where Ai is the agent to be executed, and 
Ci the store at that computation step. Thus, the small-step behavior is the set of 
sequences of stores that are computed by the operational semantics of the language. 

There are many languages where a compact compositional semantics has been 
founded on collecting the possible traces for the weakest store, since all traces 
relative to any other initial store can be derived by instance of the formers. In tccp, 
this does not work since the language is not monotonic: if we have all traces for an 
agent A starting from an initial store c and we execute A with a more instantiated 
initial store d, then new traces, not instances of the formers, can appear. 

Furthermore, note that, since we are interested in a bottom-up approach, we 
cannot work assuming that we know the initial store. However, when we define the 
semantics of a conditional or choice agent where some guard must be checked, we 
should consider different execution branches depending on the guard satisfiability. 
To deal with all these particular features, our idea is that of associating conditions to 
computation steps, and to collect all possible minimal hypothetical computations. 
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3.1 The semantic domain 



In (?), reactive sequences are used as semantic domain for the top-down semantics. 
These sequences are composed of a pair of stores (c, c') for each time instant meaning 
that, given the store c, the program produces in one time instant the store c'. The 
store is monotonic, thus c' always contains more (or equal) information than c. 
As we have explained before, this information is not enough for a bottom-up 



information about the essential conditions that the store must satisfy in order 
to make the program proceed. We define a condition rj as a, pair 77 = {r]^,r]~) 
where S C (respectively r]~ S p(C)) is called positive (respectively negative) 
component. A condition is said to be inconsistent when its positive component is 
ff or when it entails any constraint in the negative component. Given a store c S C, 
we say that c satisfies 77 (written c\> rj) when c entails r]'^ , rj^ ^ jj and c does not 
entail any constraint from 77". An inconsistent condition is satisfied by no store, 
while the pair {tt, 0) is satisfied by any store. 

A conditional reactive sequence is a sequence of conditional tuples, which can be 
of two forms: (i) a triple 77 — >■ (a, b) that is used to represent a computational step, 
i.e., the global store a becomes b at the next time instant only if a [> 77, or (ii) a 
construct stutt{C) that models the suspension of the computation due to an ask 
agent, i.e., it represents the fact that there is no guard in C (the guards of the 
choice agent) entailed by the current store. We need this construct to distinguish a 
suspended computation from an infinite loop that does not modify the store. 

Our denotations are composed of conditional reactive sequences: 

Definition 2 [Conditional reactive sequence) 

A conditional reactive sequence is a sequence of conditional tuples of the form 
ti . . . tn ■ ■ ■ , maybe ended with □, such that: for each ti = rji ^ (a^, 5^), bi h ai 
for i > 1, and for each tj — rjj — > (oj, bj) such that j > i, Oj h bi. The empty 
sequence is denoted with e. si ■ S2 denotes the concatenation of two conditional 
reactive sequences Si, S2. 

A set of conditional reactive sequences is maximal if none of its sequences is 
the prefix of another. By M we denote the domain of sets of maximal conditional 
reactive sequences, whose order is induced from its prefix closure, namely i?i C 
i?2 ^ prefix{Ri) C prefix{R2)- (M, C, |J, |~|, _L, T) is a complete lattice. 



In order to associate a denotation to a set of process declarations, we need first to 
define the semantics for agents. Let us now introduce the notion of interpretation. 




Our idea is to enrich the reactive sequence notion so that we keep 



3.2 Semantics Evaluation Function for Agents 



^ In a top-down approach, the (initial) current store is propagated, thus decisions regarding the 
satisfaction or not of a given condition can be taken immediately. 



6 



M. Comini, L. Titolo and A. Villanueva 



Definition 3 {Interpretations) 

Let MGC :~ {p{x) \ p & li, x are distinct variables} be the set of most general 
calls. An interpretation is a function MGC — > M modulo variance]^ Two functions 
/, J : MGC — M are variants, denoted by / = J, if for each tt S MGC there exists 
a variable renaming p such that {I'i^)p = J{'Kp). The semantic domain I is the set 
of all interpretations ordered by the point- wise extension of C. 

The application of an interpretation I to a most general call tt, denoted by I(7r), 
is the application /(vr) of any representative I of X which is defined exactly on 
TT. For example, if I = {X(p{x,y). {{tt,9) ^ {tt, x = y)})/^ then X{Lp{u,v)) — 
{(tt,0) (tt, w = u)}. 

The technical core of our semantics definition is the agent semantics evaluation 
function which, given an agent and an interpretation, builds the maximal condi- 
tional reactive sequences of the agent. 

Definition 4 {Agents Semantics) 

Given an agent A and an interpretation Z, the semantics ^|j4]x is defined by 
structural induction: 
^[skipli = {□} 

yt[tell(c)]x = {{tt, 0) ^ {tt, c) ■ □} (1) 
-4Er=i ask(c,) ^ A,h = Ur=i{(c., 0) ^ (cz, c.) ■ (c, s) ] s G AU^jx} U 

\_\{stutt{u7^ic,) ■ s I s G AlY:'Li ask(cO ^ A>]i,Vi G [l,n].c, / tt} (2) 
Alnow{d) then A else Bjx = {{d, 0) (d, d) ■ □ | □ G yi|[A]i}U 

|J{(c+ (g) d,c') {c(g)d, c (g)d) ■ {dQ s) \ (c+,c") (c, c) ■ s € AlAjx, 

c(g)d [> (c+ c")}U 

|J{(d,C) (d, d) ■ (d0s) I st«tt(C) • s G ^Mi, d l> (d,C)}U 

|J{(tt,d) ^ (tt, tt) ■ □ I □ G yi|[B]i}U 

\J{{c+, c- U {d}) ^ (c, c') ■ s I (c+, C-) ^ (c, c') ■ s G ^[BIi, 

c \> (c+,c" U {d})}U 
[J{(tt, C U {d}) ^ (tt, tt)- s \ stutt{C) ■ s G ^|I-B]i} (3) 
AlA II B]i = □{sA|'|si3 1 SA G AlA}x,SB G y^IBJi} (4) 

yipxyl]x = |J{s G M I 3s' G AlAjx such that 3^s = 3^s', (5) 
s' is a::-connected, s is a;-invariant} 

Alp{z)jx = □{(«, 0) ^ {tt, tt)-s \ se l{p{z))} 

Let us now illustrate the idea of the semantics. The tell agent works independently 
of the current store, thus in ([T]), the conditional reactive sequence starts with a 
conditional tuple composed by the condition (tt, 0), which is always satisfied, and a 
second part that says that the constraint c is added during the first computational 
step; afterwards, the computation terminates with □. 



^ i.e., a family of elements of M, indexed by MGC, modulo variance. 
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/i0 s = < 



The semantics for the non-deterministic choice ([2|, collects for each guard Ci a 
conditional sequence of the form (ci,0) — ?> {ct, ct) ■ (ci s). The condition states 
that Ci has to be satisfied by the current store, whereas the pair {ci,Ci) represents 
the fact that the query to the store does not modify the store. The constraint Ci is 
propagated into the sequence s (the continuation of the computation which belongs 
to the semantics of Ai) by means of the propagation operator that (consistently) 
adds a given constraint to the stores appearing in a sequence: 

{a (g) h, b h) ■ {h Q s') if s = 77 (a, b) • s', r]^ (g h ^ ff, 

b^ h ^ ff,a® h t> T] 
{a®h,ff) if s = 77 ^ (a, b) ■ s', r)+ ff, 

b0 h = ff,a0 h [> T] 
stutt{rj~) ■ (h s') if s = stutt{r]~) ■ s' 

ifs = eors = n 

In addition, we have to model the case when the computation suspends, i.e., when 
no guard of the agent is satisfied by the current store. Sequences representing this 
situation are of the form stutt(U''^^i{ci}) ■ s where s is, recursively, an element of the 
semantics of the choice agent. The only case when we do not include the stuttering 
sequence is when one of the guards Ci is tt. Note that, due to the partial nature 
of the constraint system, the fact that the disjunction of the guards is tt is not a 
suffi-cient condition to avoid suspension. 

The definition of the conditional agent now is similar to the previous one. How- 
ever, since it is instantaneous, we have 6 cases depending on the 3 possible heads 
of the sequences of the semantics of A (respectively B) and on the fact that the 
guard d is satisfied or not in the current time instant. 

The semantics for the parallel composition of two agents Q, is defined in terms 
of an auxiliary commutative operator || which combines the sequences of the two 
agents: 

{a (g) c, b (g) d) ■ {d Q s'A)\\(b Q s'b] 



sa\\sb = < 



iv (g)c S) (a® c, ff) 



US ) ^ {o, 6) • Sa|'|(&0Ss) 



stutt{r] U 5 



SA 



if SA = -s> {a, b) ■ sa, 
SB — 5 ^ (c, d) ■ s'b, 
a®c> {ri(g)cS),b(g d ff 
if SA = J? — ^ {a, b) ■ Sa, 
SB — S ^ (c, d) ■ s'b, 
a(g cf> {r] (g)c S),b (g) d — ff 
if Sa = r? {a, b) ■ s'a, 
Sb = stutt(5^) ■ s'b, 
a > {ri^,^' U 5~) 
if Sa = stutt{ri~) ■ sa, 
s'b ~ stutt{S~) ■ s'b 
if s_B = e or ss = □ 



For the hiding operator ([s]), we collect the sequences that satisfy the restrictions 
regarding the visibility of the hided variables. In particular, a conditional reactive 
sequence s — ti . . .tn . . . is x-connected when (1) if ii = 771 — > {cii, 61) then 3xO-i — 
ai and (2) for each ti — iji — (a^, hi) and i^+i = 77^+1 — (fli+i, with i > 1, 
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I {^v(y > x), Byiy > x)) 



stutt{{y > a:} U {y < x}) 



□ (tt,0)-* 

(3y(j/ > x), 3y{y > x)) 

I 

{3y{y > a:+ 1)J) ^ 

{3y{y > x + 1), 3y{y > £c + 1)> 



i3yiy<x + l)J) ^ 

{^yiy = x + l), ^y(y = x + l)) 



{3y{y > x + 1), 3y{y > x + 1)) 



{3y{y < a; + 2)J) ^ 
{^y{y = x + 2), ^yiy = x + 2)) 
I 



Fig. 1. Tree representation of in the example. 



Bxtti+i <^ bi ^ fli+i. A conditional reactive sequence s — ti . . .tn . . . is x-invariant 
if for each computational step U = r]i ^ {ai,bi), it holds that bi — B^bi (g) ai. 

Finally, the semantics of the process call p{x) collects the sequences in the inter- 
pretation X{p{x)), delayed by one time unit, as stated in the operational semantics. 

Let us show an illustrative example. Consider the tccp agent A = ask(y > 0) 
tell(z < 0). The semantics is composed of two sequences: 

AlAji ={ (y > 0, 0) ^ (2/ > 0, J/ > 0) • {tt, 0) ^ > 0, 2/ > ® z < 0) • □} 
U {stutt{y > 0) • s I s e 



3.3 Fixpoint Denotations of Declarations 

Now we can define the semantics for a set of process declarations D as the fixpoint of 
the immediate consequences operator 2?|Z)]x ■— ^p{^)-\_\p(x)--AeD -^l^li ^ which 
is continuous. Thus, it has a least fixpoint and we can define the semantics of D as 
J-" [[13] — lfp{'DlD}). As an example, in Figure [l] we represent the (infinite) set of 
traces of ;— 3y ( ask(y > a;) p{x + 1) + ask(y < — > skip)}] 

In (?) we have proven that Di D2 if and only if J^jZ^i] = J^[[Z32] (correctness 
and full abstraction of T w.r.t. ~ss)- 



4 Abstract semantics for tccp: the abstraction scheme 

In this section, starting from the fixpoint semantics in Section [3j we present an 
abstract semantics which approximates the observable behavior of the program. 
Program properties that are of interest are Galois Insertions between the concrete 
domain and the chosen abstract domain. We assume familiarity with basic results 
of abstract interpretation (?). 



For the sake of simplicity, we assume that we can use expressions of the form x + 1 directly in the 
arguments of a process call. We can simulate this behavior by writing tell(x' = x + 1) p{x') 
(but introducing a delay of one time unit). 
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We define an abstraction scheme where we develop the abstraction of computa- 
tions, i.e., of maximal sets of conditional reactive sequences, by successive lifting. 
We start with a function that abstracts the information component of the program 
semantics, i.e., the store; then we build the abstraction of conditional tuples; then 
of conditional reactive sequences and, finally, of maximal sets. 

We start from an upper-approximating function t+ : C — >■ C into an abstract 
constraint system C = {C,^,^,®,tt,ff , Var,3), where tt and ff are the smallest 
and the greatest abstract constraint, respectively. We often use the inverse relation 
h of ^. We have also a lower-approximating function t~ : p(C) — )■ C into an abstract 
constraint system C = {C,^,^,®,it,ff, Var, 3). This second function is needed to 
(correctly) deal with the negative part of conditions. 

We have two "external" operations x : C x C ^ C and x : C x C ^ C that 
update an abstract store with a concrete constraint (coming from the program). 
In addition, a "bridge" relation h e C x C decides if an upper-abstract constraint 
is consistent with a lower-abstract constraint. Abstract and concrete constraint 
systems are related by these conditions: 

cXT-{C)=r-{{c}UC) 
T-{CUC') = T-{C)®T-{C') 
r"({a}) h r-(C) =^ 3c G C. a h c 
r-({3.c|ceC}) = 3,r-(C) 

An abstract condition is a pair of the form (^,17) gCxC. Similarly to the concrete 

case, given an abstract condition rj = {ri,fi) and an abstract store a G C, we say 
that a satisfies 77 (written a [> 77) when rj ^ ff and ah?), but d [/ i). Given an 
abstract condition r), a,b & C and a e C, an abstract conditional tuple is either a 
triple fj (a, b) , such that a [> ry, or a construct of the form stutt{a)"^, where 
m G {0, +00} states how many times the corresponding tuples appear consecutively 
in the sequence. Given a (concrete) conditional tuple t, we define its abstraction 
a{t) as 

a{{V^,V') -> («, b)) = (r+(77+),r-(r?-)) ^ (r+(a), r+{b)}' 
a{stutt{C)) = stutt{T~{C)Y 

Now, an abstract conditional reactive sequence is a sequence of different abstract 
tuples ti . . . t„i .... maybe ended with □. The natural number associated to each 
abstract conditional tuple is needed to keep synchronization among processes due 
to the particularly strong synchronization properties of the language, as already 
noticed in (?). 

The abstraction a{s) of a sequence of conditional tuples s is defined by struc- 
tural induction on the form of its tuples. It collapses all the computation steps 
(conditional tuples) that, after abstraction, coincide. Formally, a{e) = e, ct{D) = □ 



c X T'^{a) = r"''(c(8) o) 

r+ (o ® 6) = T+ (a) (g) r+ (6) 

ol-6=^r+(a)hT+(6) 

T+(3:. a) = 3,r+(a) 

Vc G C. a\/ c=^ T+(a)i/ t'(C) 
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and 

77 — > (a, &) ■ r if a{t) = f] ^ {a, b) , a{r) = f/ ^ (a, b) ■ f 

stutt{a)'"^+^ ■ f if a{t) = stutt{aY , a{r) = stuttid)"' ■ f 

a{t) ■ a{r) otherwise 

We extend this definition to sets of conditional sequences in the natural way. 

We denote by A the domain q;(M) of the sets of abstract conditional reactive 
sequences. By adjunction we derive the concretization function 7 such that 

(M, C, ^> T) ±=^ (A, <, V, A' ^' T) 

where a < a' <^=^ 7(a) C 7(a'). 

This abstraction can be systematically lifted to the domain of interpretations: 
I < » [MGC — A] so that we can derive the optimal abstraction of I'll?] 
simply as P^ID] :— aoVlDj o 7. The abstract interpretation theory ensures that 
T°'lDl := P^ID] t w is the best correct approximation of TlDj. 

It turns out that V"lDjx^ = Xp{x).\J p^^y_^^^ A^fAjx^ , where A^lh" is de- 
fined by structural induction on the syntax in a similar way as the concrete version. 
Given the similarity to the concrete case, in the following we describe only two 
cases in order to illustrate the use of the upper- and lower-approximations (for full 
details consult (?)). The semantics for the tell agent just applies the abstraction to 
the only concrete sequence, thus: ^"|tell(c)]ia = {{tt,ff) {it, t~^{c)) ■ □}. For 
the now semantics, we only show the general case when the condition holds, and 
the general case when it does not hold: 
A°'lnow{d) then A else B}x<^ = 

{{d X fj,fi) — > (d X a, dx b)"-(d0 s) j (7), 77) — > (a, b)" ■SeA'^lAjx" , dx a5- [dx-q, 77)} 

V . . .V 

{iv,dx ij) (a, b)^-{-n,fi) -> (a, &)"-s| (77, 77) (a, 6)"^^Se ^"|[B]io , a > (77, dx 77)} 

V . . . 

the operator is the abstract counterpart of the concrete version. 



5 Abstract diagnosis of timed concurrent constraint programs 

Now, following the ideas of (?), we define the abstract diagnosis of tccp. The frame- 
work of abstract diagnosis (?) comes from the idea of considering the abstract 
versions of Park's Induction Principle]^ It can be considered as an extension of 
declarative debugging since there are instances of the framework that deliver the 
same results. In the general case, diagnosing w.r.t. abstract properties relieves the 
user from having to specify in excessive detail the program behavior (which could 
be more error-prone than the coding itself). 

Let us now introduce the workset of abstract diagnosis. Having chosen a property 
of the computation a of interest (an instance of the abstraction scheme of SectionB, 



^ A concept of formal verification that is undecidable in general. 
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given a set of declarations D and 5" G A, which is the specification of the intended 
behavior of D w.r.t. the property a, we say that 

1. D is (abstractly) partially correct w.r.t. if a(J^|-D]) < S". 

2. D is (abstractly) complete w.r.t. 5" if 5" < q:(J'|L']). 

3. D is totally correct w.r.t. S", if it is partially correct and complete. 

In this setting, the user can only reason in terms of the properties of the expected 
concrete semantics without being concerned with (approximate) abstract compu- 
tations. The diagnosis determines the "originating" symptoms and, in the case of 
incorrectness, the relevant process declaration in the program. This is captured 
by the definitions of abstractly incorrect process declaration and abstract uncovered 
element: 

Definition 5 

Let D he a, set of declarations, R a process declaration and {e},S" G A. 
R is abstractly incorrect w.r.t. S" if I?"|{i?}]5o ^ S" . 
e is an uncovered element w.r.t. 5" if {e} < 5" and {e} A P^li'J^Q = _L. 

Informally, R is abstractly incorrect if it derives a wrong abstract element from the 
intended semantics, e is uncovered if the process declarations cannot derive it from 
the intended semantics. 

It is worth noting that the notions of correctness and completeness are defined 
in terms of q;(J^|Z)]), i.e., in terms of abstraction of the concrete semantics. The 
abstract version of algorithmic debugging (?), which is based on symptoms (i.e., 
deviations between a(J^|D]) and S"), requires the construction of a(J^|Z3]) and 
therefore a fixpoint computation. In contrast, the notions of abstractly incorrect 
process declarations and abstract uncovered elements are defined in terms of just 
one application of D" [Z?] to S". The issue of the precision of the abstract semantics 
is specially relevant in establishing the relation between the two concepts (i.e., the 
relation between abstractly incorrect process declarations and abstract uncovered 
elements on one side, and abstract partial correctness and completeness, on the 
other side)j^ 




1. If there are no abstractly incorrect process declarations in D, then D is par- 
tially correct w.r.t. 5". 

2. Let D be partially correct w.r.t. 5". If D has abstract uncovered elements 
then D is not complete. 

When applying the diagnosis w.r.t. approximate properties, the results may be 
weaker than those that can be achieved on concrete domains just because of ap- 
proximation. Abstract incorrect process declarations are in general just a warning 
about a possible source of errors. Because of the approximation, it can happen that 
a (concretely) correct declaration is abstractly incorrect. However, as shown by 
the following theorem, all concrete errors are detected, as they lead to an abstract 
incorrectness or abstract uncovered. 

® Proofs are available at http://www.dinii.uiiiud.it/coiiiini/Papers. 




Theorem 1 



12 



M. Comini, L. Titolo and A. Villanueva 



Theorem 2 

Let r be a process declaration and S a concrete specification. 

1. If and aCDllr}}^)^ a{S) tfien r is abstractly incorrect w.r.t. 
a(5). 

2. If there exists an abstract uncovered element a w.r.t. a{S), such that 7(a) C S 
and 7(J-) = J-, then there exists a concrete uncovered element e w.r.t. S (i.e., 
e E 5 and eHVlDjs = -L). 

It is particularly useful for applications the fact that our proposal can be used 
with partial specifications and also with partial programs. Obviously, one cannot 
detect errors in process declarations involving processes which have not been speci- 
fied, but for the process declarations that involve processes that have a specification, 
the check can be made, even if the whole program has not been written yet. This 
includes the possibility of applying our "local" method to all parts of a program not 
involving constructs which we cannot handle (yet) . With other "global" approaches 
such programs could not be checked at all. 

It is worthy to note that, even for a noetherian abstract constraint system C, the 
domain of abstract sequences defined above is not — in general — noetherian, due to 
the use of the index in each tuple (we cannot get rid of it since it is needed to keep 
synchronization among parallel processes). This means that our current proposal 
cannot be used for static program analysis, unless we resort to use widening oper- 
ators. However (for noetherian abstract constraint systems) our abstract diagnosis 
is effective since specifications have to be abstractions of some concrete semantics 
and, since the store evolves monotonically, it holds that the number of conditional 
tuples that can appear in an abstract sequence is, thus, finite. 

5. 1 Examples of application of the framework 

Let us now show two illustrative examples of the approach. The first example shows 
the new ability of our approach: that of dealing with the constructors that introduce 
the non-monotonic behavior of the system, in particular the now agent. 

Example 1 

We model a (simplified) time-out{n) process that checks for, at most, n times units 

if the system emits a signal telling that the process evolves normally (system = ok). 

When the signal arrives, the system emits the fact that there is no alert (alert — 

no)Q Let do, dn, dacUon be the following declarations: 

time-out{0):— r\ovj{system — ok) then action else {ask(tt) — > time-out(Q)) 
time-out(n):— r\ovj{system — ok) then action else (ask(it) — >■ time-out{n — 1)) 
action:— te\\{alert — no) 

When the time limit is reached (declaration do), the system should set the signal 
alert to yes {te\\{alert = no)). However, we have introduced an error in the program, 
calling the process recursively instead: time-out{0). 

^ The classical timeout would restart the countdown by recursively calling time-out(n). 
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Due to the simplicity of the constraint system, the abstract domain coincide with 
the concrete one, and the two external functions are the ® and ® operators. 

Let us now consider the following specification. For do we expect that, if the ok 
signal is present, then it ends with an alert = no signal, otherwise an alert should be 
emitted. This is represented by two possible sequences, one with a condition where 
system = ok, and a second one when system = ok is absent (this is a sequence that 
reasons with the absence of information). 

S" {time-out{0)) = { {system = ok,ff) {system = ok, system = ok)^- 

{it,ff) — >■ {system = ok, system = ok ® alert = no)^ ■ □} 

U {{it, {system = ok}) {it, it)^ ■ {it.ff) -> {it. alert = yes)^ ■ □} 

The specification for dn is similar, but we add n sequences, since we have the 
possibility that the signal arrives at each time instant before n. 

S" {time-out{n)) = {{tt, {system = ok}) {it, it)"^- 

{system = ok,ff) {system = ok, system = ok)^- 
{it,ff) {system = ok, system = ofc (§) alert = no)^ • □ | < m < n} 
U {{it, {system = ok}) {it, it)"'^^ ■ {it,ff) {it, alert = yes)^ ■ □} 

S"{action) = {{it,ff) {it, alert = no)^ ■ □} 

Now, when we compute ^'"[[{dollso we have: 

{{system — ok,ff) — >■ {system = ok, system = ok)^- 

{it,ff) — > {system — ok, system = ok ® alert = no)^ ■ □} 
U {{it, {system = ok}) — > {it, it)^ ■ {system — ok,ff) — >■ {system = ok, system = ok)^- 

{it,ff) — > {system = ok, system — ok (g) alert — no)^ ■ □} 
U {{tt, {system = ok}) {it, tt)'^ ■ {it,ff) {it, alert = no)^ ■ □} 

Due to the last sequence, 2?"[{(io}]5'>^'5", so we conclude that do is (abstractly) 
incorrect. This is due to the recursive call in the else branch of the declaration. 
If we fix the program replacing do by d'^ where the recursive call is replaced by 
te\\{alert = yes), then ^^"llcJolls'" < thus d'o is abstractly correct. 

In (?) it was studied an example where a control process checks whether a failure 
signal arrives to the system. The most important point that differs from the timeout 
example is that, in the control case, someone has to explicitly tell the system that 
an error has occurred. Instead, in the timeout example, the system is able to act 
(and maybe recover) when it detects that something that should have happened, 
hadn't. In other words, the control example does not handle absence of information, 
since non-monotonic operators are not considered there. We have implemented the 
example in tccp and we have checked that the same results can be achieved in our 
framework if we apply the same abstraction they use (a depth{k) abstraction). 

The second example we show illustrates how one can work with the abstraction of 
the constraint system, and also how we can take advantage of our abstract domain. 

Example 2 
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Let us consider a system with a single declaration and the abstraction of the con- 
straint system that abstracts integer variables to a (simplified) interval-based do- 
main with abstract values {T,poSj.,neg^,a;>10, a;<10, _L}. 

p{x) :- now(a;>0) then 3x' {te\\{x = [.\x']) \\ te\\(x' = [x + 1|_]) || p{x')) 
else 3x" {te\\{x = [.\x"]) || tell(a;" = [x- 1|_]) || p{x")) 

Due to the monotonicity of the store, we have to use streams (written in a list- 
fashion way) to model the imperative-style variables (?). In this way, variable x 
in the program above is a stream that is updated with different values during the 
execution. Following this idea, the abstraction for concrete streams is defined as 
the (abstracted) last instantiated value in the stream. The concretization of one 
stream is defined as all the concrete streams whose last value is a concretization of 
the abstract one. We write a dot on a predicate symbol (e.g. =) to denote that we 
want to check it for the last instantiated value of a stream. 

We define the following intended specification to specify that, (a) if the parameter 
is greater than 10, then the last value of the stream (written i) will always be greater 
than 10; (b) if the parameter is negative, then the value is always negative 
S"{p{xi) = {{xi>W,ff) ^ (a;>10, x>W)+^} U {(neg„#) ^ (neg^, neg^>+°°} 

The two abstract sequences represent infinite computations thanks to the -|-oo in- 
dex in the last tuple. In other words, finite specifications that represent infinite 
computations can be considered and effectively handled. In fact, we can compute 
P«[{4l5c: 

{ {{neg^J) ^ (posi, pos^y ■ (pos^ © (i>10,#) ^ {i>10, i>10)+°°)} 
U {(negi,f') (neg^, neg^)^ • (neg^,#) (neg^, negi)+°°}} 

, ^ , 

{ {(negi,if) ^ (posi, pos^)' • (pos^ ® x>W,ff) ^ (pos^ © i>10, pos^ (g) a;>10)+°°)} 
U {(negi, if ) {negj., neg^)^ • (ncg^, if ) (neg^, neg^}^°°}} 

{{(pos^,f) ^ (pos^, pos^)+°°}U{(negi,#) ^ (neg^, neg^>+°°}} 

The third equality holds because poSj. entails a;>10, so the merge of the two con- 
straints will be equal to pos^. 

Since r'"|{d}]5<» ^ we can conclude that d is an incorrect declaration w.r.t. 
<S". In addition, wc can notice that S" contain an uncovered element that is a 
sequence that cannot be derived by the semantics operator. 

6 Related Work 

A top-down (big-step) denotational semantics for teep is defined in (?) for terminat- 
ing computations. In that work, a terminating computation is both, a computation 
that reaches a point in which no agents are pending to be executed, and also a com- 
putation that suspends since there is no enough information in the store to make 
the choice agents evolve. Our semantics is a bottom-up (small-step) denotational 
semantics that models infinite computations, and also distinguishes the two kinds 
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of terminating computations aforementioned. Conceptually, a suspended computa- 
tion has not completely finished its execution, and, in some cases, it could be a 
symptom of a system error. Thus, the new semantics is well suited to handle, not 
only functional systems (where an input-output semantics makes sense), but also 
reactive systems. 

In (?), a first approach to the declarative debugging of a ccp language is presented. 
However, it does not cover the particular extra difficulty of the non-monotonicity, 
common to all timed concurrent constraint languages. As we have said, this ability 
is crucial in order to model specific behaviors of reactive systems, such as timeouts 
or preemption actions. This is the main reason why our abstract (and concrete) 
semantics arc significantly different from (?) and from formalizations for other 
declarative languages. 

The idea of using two different mechanisms for dealing with positive and negative 
information in our abstraction scheme is inspired by (?). There, a framework for 
the abstract model checking of tccp programs based on a source-to-source transfor- 
mation is defined. In particular, it is defined a transformation from a tccp program 
P into a tccp program P that represents a correct abstraction of the original one (in 
the sense that the semantics of P arc included in the semantics of P). Instead, we 
define an abstract semantics for the language. The upper- and lower-approximated 
versions of the entailment relation are used in order to keep P correct, but also 
precise enough. 



7 Conclusion and Future Work 

We have presented a new compact, bottom-up semantics for the tccp language which 
is correct and fully abstract w.r.t. the behavior of the language. This semantics 
is well suited for debugging and verification purposes in the context of reactive 
systems. The idea of using conditions in order to have a correct bottom-up semantics 
can be also applied to other non-monotonic languages such as, for example, ntcc in 
the ccp paradigm (?) or Linda in the imperative (coordination) paradigm (?). 

Then, an abstract semantics that is able to specify (a kind of) infinite computa- 
tions is presented. It is based on the abstraction of computation sequences by using 
two functions that satisfy some properties in order to guarantee correctness. All our 
examples satisfy those conditions. The abstract semantics keeps the synchronization 
among parallel computations, which is a particular difficulty of the tccp language. 
As already noticed in (?), the loss of synchronization in other ccp languages just 
implies a loss of precision, but in the case of tccp, due to the maximal parallelism, 
it would imply a loss of correctness. 

Finally, we have adapted the abstract diagnosis approach to the tccp language 
employing the new semantics as basis. We have presented two illustrative examples 
to show the new features of our approach w.r.t. other paradigms. 

As future work, we intend to work on abstractions of our semantics to domains 
of temporal logic formulas, in order to be able to specify safety and/or liveness 
properties, and to compare its models w.r.t. the program semantics. Another inter- 
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esting aspect is to study if a general framework for the proposed methodology can 
be defined in order to apply it to other languages. 



